Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google: Spyware Found, Removed from Android Market

Google says it has suspended a number of suspicious applications from the Android Market after researchers at NC State announced they had discovered a new and particularly stealthy piece of spyware, dubbed “Plankton,” lurking in Android applications there.

Google says it has suspended a number of suspicious applications from the Android Market after researchers at NC State announced they had discovered a new and particularly stealthy piece of spyware, dubbed “Plankton,” lurking in Android applications there.

According to a report by computer science professor Xuxian Jiang, the Plankton spyware represents an evolution in Android malware by attempting to obscure itself using a native class loading capability, rather than trying to gain root access to Android phones. The NC State team claims this sort of exploitation is the first of its kind.

Ten Android apps in the Official Android Market are known to infected, but many more could be victims of the Plankton Trojan. Jiang claims that early variants of the Trojan have evaded detection for as long as two months.

A Google spokesman said the company has already taken action to remove the malicious applications.

“We’re aware of and have suspended a number of suspicious applications from Android Market,” a Google spokesperson told Threatpost. “We remove apps and developer accounts that violate our policies.”

Plankton works like a parasite: latching onto its host applications as a background service which has no affect on that apps intended purpose. When a user runs an infected application on their Android phone, Plankton collects information such as the device ID and list of granted permissions and sends them via HTTP POST message to a remote update server, the NC State researchers found.

That remote server returns a URL pointing to an executable file for the device to download. Once downloaded, the jar file is dynamically loaded. In this way, the payload evades static analysis and is difficult to detect.

Analysis of the payload shows that the virus does not provide root exploits, but supports a number of bot-related commands. One interesting function is that the virus can be used collect information on users’ accounts.

Google has historically taken a hands-off approach to policing the Android Marketplace. It will suspend and remove suspicious or malicious applications when they’re reported, but does not vet applications prior to posting them, as Apple does with its AppStore. A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.

A company spokesman said that the company has security measures in place to insure the integrity of Android applications.

“We are committed to providing a secure Android Market experience
for consumers. Our approach includes clearly defined Android
Market Content policies that developers must adhere to,
plus a multi-layered security model based on user permissions and application
sandboxing. Applications in violation of our policies are removed from Android
Market,” he said in an e-mail message.

It certainly looks like the this is the begining of the end of a free and open marketplace.

I work in the Mobile Device Managment space and this questions keeps coming up time and time again. How do we protect our corporate networks from these apps. I am sure there are similar infections in iOS its just that no one has found them yet.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.